Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't run as root when building protobuf files #251

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Don't run as root when building protobuf files #251

wants to merge 3 commits into from

Conversation

kommendorkapten
Copy link
Member

May close #244

Summary

Make sure that docker does not run as root when building protobuf files.

Release Note

N/A

Documentation

N/A

@kommendorkapten
Copy link
Member Author

This is a quite massive rewrite as getting everything to run as a non-root user isn't trivial. I would appreciate if as many as possible could run

$ make clean
$ make
$ git status

And verify that it all builds correctly and no un-expected modifications happens to the generate files.

@kommendorkapten kommendorkapten mentioned this pull request Mar 7, 2024
Open
@kommendorkapten
white space fixes
9027b78 
Signed-off-by: Fredrik Skogman <[email protected]>
kommendorkapten
kommendorkapten commented Mar 7, 2024
View reviewed changes
Dockerfile.jsonschema

# Switch user
ARG uid=1000
RUN adduser -u ${uid} -S builder
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alpine does not use the "standard" useradd command.

loosebazooka
loosebazooka reviewed Mar 7, 2024
View reviewed changes
Makefile Show resolved Hide resolved
@loosebazooka
Copy link
Member

Nice! Works for me.

haydentherapper
haydentherapper requested changes Mar 11, 2024
View reviewed changes
Dockerfile
@@ -6,15 +6,23 @@ RUN set -ex && \
apt-get install -y --no-install-recommends \
python3-pip

# Install Python dev dependencies.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Testing locally, I had to move lines 14-18, the apt-get for curl and build-essential, above 10-12, or else it failed with E: Failed to fetch http://deb.debian.org/debian/pool/main/p/perl/perl-modules-5.32_5.32.1-4%2bdeb11u2_all.deb 404 Not Found [IP: 151.101.22.132 80] (not sure why). Can we swap the order?

Dockerfile
python3 -m pip install --requirement /tmp/dev-requirements.txt
# Switch user
ARG uid=1000
RUN useradd -u ${uid} -s /bin/sh -m builder
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I got an error: adduser: number 561799 is not in 0..256000 range. Looks like https://stackoverflow.com/questions/41807026/cant-add-a-user-with-a-high-uid-in-docker-alpine would be the fix?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting, I'll try to take a look later this week.

@haydentherapper
Copy link
Collaborator

This is awesome, thanks so much for tackling this.

@haydentherapper
Copy link
Collaborator

@kommendorkapten, did you get a chance to look into the open comments, or would you like someone to take a look?

@kommendorkapten
Copy link
Member Author

@haydentherapper Last weeks was busy with preparation for KubeCon and so. I'm back now from the Easter break so I would be able to work on this again this week.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@loosebazooka loosebazooka loosebazooka left review comments

@haydentherapper haydentherapper haydentherapper requested changes

@woodruffw woodruffw Awaiting requested review from woodruffw

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Permissions error running make locally
3 participants
@kommendorkapten @loosebazooka @haydentherapper